http-types icon indicating copy to clipboard operation
http-types copied to clipboard

Published 20 hours ago verified publisher icon http-rs

cargo audit reported vulnerabilities in 2.12.0

Open cataggar opened this issue 3 years ago • 4 comments

http-types 2.12.0 is the latest version. The default features pull in dependencies with reported vulnerabilities.

Steps to reproduce. The cargo check will create the Cargo.lock that cargo audit uses.

git checkout tags/v2.12.0
cargo check
cargo audit

PS C:\Users\cataggar\io\http-types> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 421 security advisories (from C:\Users\cataggar\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate:         aes-soft
Version:       0.6.4
Warning:       unmaintained
Title:         `aes-soft` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0060
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0060
Dependency tree:
aes-soft 0.6.4
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         aesni
Version:       0.10.0
Warning:       unmaintained
Title:         `aesni` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0059
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0059
Dependency tree:
aesni 0.10.0
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         cpuid-bool
Version:       0.2.0
Warning:       unmaintained
Title:         `cpuid-bool` has been renamed to `cpufeatures`
Date:          2021-05-06
ID:            RUSTSEC-2021-0064
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree:
cpuid-bool 0.2.0
└── polyval 0.4.5
    └── ghash 0.3.1
        └── aes-gcm 0.8.0
            └── cookie 0.14.4
                └── http-types 2.12.0

Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
    └── cookie 0.14.4
        └── http-types 2.12.0

warning: 4 allowed warnings found

cataggar avatar Jul 05 '22 22:07 cataggar

The main branch updates to cookie v0.14.4 -> v0.16.0 and does not have the vulnerabilities. It would be good to publish a new version.

cataggar avatar Jul 05 '22 22:07 cataggar

An alternative is to disable the optional feature.

http-types = { version = "2.12", default-features = false }

cataggar avatar Jul 05 '22 22:07 cataggar

@jbr @yoshuawuyts @Fishrock123 Could one of you make a new release so this can be closed?

Dentosal avatar Nov 09 '22 03:11 Dentosal

I am once again asking for a new release 😄

expenses avatar May 22 '23 03:05 expenses